<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Arial" size="2">
<div>-----BEGIN PGP SIGNED MESSAGE-----</div>
<div>Hash: SHA256</div>
<div> </div>
<div>Hi</div>
<div>Yes, agree with you. The idea is a shortcoming. </div>
<div> </div>
<div>My experience says me that law seldom originates from (the need of) individual users or a protocol, byt by legal tradition in the legislation, i.e. eventually, interpretation by 27 member state (MS) legislations will go before directive intentions.</div>
<div> </div>
<div>This means -if understood correctly - that the data consent procedure is decided upon in each and every MS. In other words, rule may actually vary a bit, which from a protocol view just will make the situation worse. </div>
<div> </div>
<div>Therefore, I agree with Jim Reid on this:</div>
<div>" But how these get enacted and enforced in national law differs from country to country."</div>
<div> </div>
<div>When interpreting this directive into Swedish law, lawyers currently discuss the criterias for what make an 'active consent' just active. Can the automation of consents by protocols be a way to meet legislators demands on active consent? In the end, it's
an interpretation if automation is enough, and we'll probably have a ruling in this by national court, eventually. </div>
<div> </div>
<div> </div>
<div>/Staffan</div>
<div> </div>
<div>Cell phone: + 46/0 73 317 39 67</div>
<div>Mail: staffan.jonson@iis.se</div>
<div> </div>
<div> </div>
<div>- -----Ursprungligt meddelande-----</div>
<div>Från: cooperation-wg-admin@ripe.net [<a href="mailto:cooperation-wg-admin@ripe.net">mailto:cooperation-wg-admin@ripe.net</a>] För Alessandro Vesely</div>
<div>Skickat: den 18 maj 2011 20:56</div>
<div>Till: cooperation-wg@ripe.net</div>
<div>Ämne: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive</div>
<div> </div>
<div>Hi all,</div>
<div>can a tool for lawfully acquiring a user's consent via the Internet</div>
<div>motivate SMTP operators to modify their procedures in such a way that</div>
<div>spam can be countered more effectively? Let me please expand slightly</div>
<div>on this question, I'll try and be concise.</div>
<div> </div>
<div>It is well known that the Simple Mail Transfer Protocol provides for</div>
<div>replacing the envelope recipient with one or more other email</div>
<div>addresses. This server forwarding is not to be confused with manually</div>
<div>forwarding a message from a client. Mailing lists and newsletters are</div>
<div>operated that way, as well as redirection configured by means of "dot</div>
<div>forward" static files. Since email addresses are personal data, their</div>
<div>processing is covered by Directive 95/46/EC.</div>
<div> </div>
<div>How is the data subject's consent acquired? In response to the Data</div>
<div>Protection Directive, operators should have defined a protocol for</div>
<div>obtaining and keeping proof of the consent. It never happened. In</div>
<div>facts, it is very difficult to introduce new protocols for email --new</div>
<div>protocols for web operations come about much more frequently.</div>
<div> </div>
<div>Evidence that consent has been granted can be provided by the data</div>
<div>subject's mail exchanger (MX, a.k.a. the user's incoming mail server).</div>
<div> It can digitally sign a notification from the data processor. That</div>
<div>way, the user's server becomes aware of a new wanted stream of</div>
<div>messages, and can whitelist it. That is, it can skip anti-spam</div>
<div>checking for those messages. As bulk messages account for a</div>
<div>significant part of legitimate mail, anti-spam measures could then be</div>
<div>significantly strengthened.</div>
<div> </div>
<div>The users' advantage is to have an automatically maintained list of</div>
<div>subscriptions, and a uniform interface to manage them. Currently,</div>
<div>users have to interact with what can be called a "time-distributed</div>
<div>database", in the sense that monthly or yearly they may receive</div>
<div>subscription reminders...</div>
<div> </div>
<div>The obvious shortcoming of this idea is that mail server operators</div>
<div>simply won't install any new software if their systems can work</div>
<div>acceptably well without it. However, acquiring written consent is</div>
<div>such a pain to many businesses that, perhaps, they will install that</div>
<div>software if it helps complying with privacy issues. What do you think?</div>
<div> </div>
<div>TIA for any comment</div>
<div> </div>
<div> </div>
<div>-----BEGIN PGP SIGNATURE-----</div>
<div>Version: 9.8.3 (Build 4028)</div>
<div>Charset: utf-8</div>
<div> </div>
<div>wsBVAwUBTdTCazQ/UxhHDVilAQj/uQf/diTT50upnSEEzdZ1xwl+noBR8LT0nc04</div>
<div>m/jZPZllSNO6TOCCpzMDt43Q5zxWbF/ur3f6q2w/tfvs6EFwRi+gZ3cUV1eX9HR6</div>
<div>iaAMjfMHADhmOCWDwew9aMRLsXZTCfBpzAtpjXCIHYTpfX8Oi1R+igKq4+74jpyV</div>
<div>V9Mpxm1V65KxpB6otxVJ4jDV4JlYVUP/zR8+h6FWuCf7m/851Fkg2BMqLUXGw1TF</div>
<div>Wmjf21ykxzOgLaqyrPOtWw3MyUBJA9Mg7+8irZyzLDxXUTlxWy1CBKY8U/F4u0gO</div>
<div>XP7vtsUtBfpmf8295amxYZ4UKfT7vC8sPWOupOxUFtDalnT3CCc2Iw==</div>
<div>=BzQY</div>
<div>-----END PGP SIGNATURE-----</div>
<div> </div>
<div> </div>
</font>
</body>
</html>